From 183659f6beac3e2ca41067bcfc5fa0aae092afb3 Mon Sep 17 00:00:00 2001 From: "github-actions[bot]" Date: Sat, 21 Dec 2024 01:34:27 +0000 Subject: [PATCH 1/8] Update listing with threatintel-2024-12-21_01-29-50 --- docs/vulnerability_feeds/listing.json | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/docs/vulnerability_feeds/listing.json b/docs/vulnerability_feeds/listing.json index 48f5b964a1..2f65b6b0f1 100644 --- a/docs/vulnerability_feeds/listing.json +++ b/docs/vulnerability_feeds/listing.json @@ -27,12 +27,6 @@ } ], "5": [ - { - "built": "2024-12-19T01:34:09.451157275Z", - "version": 5, - "url": "https://threat-intel.deepfence.io/vulnerability-db/releases/download/threatintel-vuln-v5-2024-12-19_01-30-20/threatintel-vuln-v5-2024-12-19_01-30-20.tar.gz", - "checksum": "44d274c70ef5b3abd27a1c063334cd9ae228e3b7fe93276a65ede71257d121c0" - }, { "built": "2024-12-19T13:12:23.003612089Z", "version": 5, @@ -50,6 +44,12 @@ "version": 5, "url": "https://threat-intel.deepfence.io/vulnerability-db/releases/download/threatintel-vuln-v5-2024-12-20_13-06-31/threatintel-vuln-v5-2024-12-20_13-06-31.tar.gz", "checksum": "f29901c028349b75f132dbf38ecb41dbb4cad8c8e10faac441caff6858461ba6" + }, + { + "built": "2024-12-21T01:33:39.889374654Z", + "version": 5, + "url": "https://threat-intel.deepfence.io/vulnerability-db/releases/download/threatintel-vuln-v5-2024-12-21_01-29-50/threatintel-vuln-v5-2024-12-21_01-29-50.tar.gz", + "checksum": "c216c2d4a3ddd46e236730ba3b5f2774bb0d39746bbb5870dc1a8d9f339ff6c7" } ] } From f7f6435b6f6da052d49895f85d851fc5da97f8ea Mon Sep 17 00:00:00 2001 From: "github-actions[bot]" Date: Sat, 21 Dec 2024 13:09:37 +0000 Subject: [PATCH 2/8] Update listing with threatintel-2024-12-21_13-05-02 --- docs/vulnerability_feeds/listing.json | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/docs/vulnerability_feeds/listing.json b/docs/vulnerability_feeds/listing.json index 2f65b6b0f1..b13704cdee 100644 --- a/docs/vulnerability_feeds/listing.json +++ b/docs/vulnerability_feeds/listing.json @@ -27,12 +27,6 @@ } ], "5": [ - { - "built": "2024-12-19T13:12:23.003612089Z", - "version": 5, - "url": "https://threat-intel.deepfence.io/vulnerability-db/releases/download/threatintel-vuln-v5-2024-12-19_13-08-31/threatintel-vuln-v5-2024-12-19_13-08-31.tar.gz", - "checksum": "044ca41250dacc8ea4fdaea0e0363a53ca98c030e5c07db37c0b02f35a962693" - }, { "built": "2024-12-20T01:33:48.82284732Z", "version": 5, @@ -50,6 +44,12 @@ "version": 5, "url": "https://threat-intel.deepfence.io/vulnerability-db/releases/download/threatintel-vuln-v5-2024-12-21_01-29-50/threatintel-vuln-v5-2024-12-21_01-29-50.tar.gz", "checksum": "c216c2d4a3ddd46e236730ba3b5f2774bb0d39746bbb5870dc1a8d9f339ff6c7" + }, + { + "built": "2024-12-21T13:08:51.464117911Z", + "version": 5, + "url": "https://threat-intel.deepfence.io/vulnerability-db/releases/download/threatintel-vuln-v5-2024-12-21_13-05-02/threatintel-vuln-v5-2024-12-21_13-05-02.tar.gz", + "checksum": "7d5cc41357ae11069379f9c1f7e65d18f928d3c1c3cf3eab83443c6abbb5270c" } ] } From 538c7a9be3b6a92a5294a078a81fa653ccec5a71 Mon Sep 17 00:00:00 2001 From: "github-actions[bot]" Date: Sun, 22 Dec 2024 01:34:36 +0000 Subject: [PATCH 3/8] Update listing with threatintel-2024-12-22_01-30-00 --- docs/vulnerability_feeds/listing.json | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/docs/vulnerability_feeds/listing.json b/docs/vulnerability_feeds/listing.json index b13704cdee..7083dc0557 100644 --- a/docs/vulnerability_feeds/listing.json +++ b/docs/vulnerability_feeds/listing.json @@ -27,12 +27,6 @@ } ], "5": [ - { - "built": "2024-12-20T01:33:48.82284732Z", - "version": 5, - "url": "https://threat-intel.deepfence.io/vulnerability-db/releases/download/threatintel-vuln-v5-2024-12-20_01-29-59/threatintel-vuln-v5-2024-12-20_01-29-59.tar.gz", - "checksum": "4f026a277483c26ce58bd13e72b490730bedf08a3b712180fc5b59e787b1dc2d" - }, { "built": "2024-12-20T13:10:34.372973445Z", "version": 5, @@ -50,6 +44,12 @@ "version": 5, "url": "https://threat-intel.deepfence.io/vulnerability-db/releases/download/threatintel-vuln-v5-2024-12-21_13-05-02/threatintel-vuln-v5-2024-12-21_13-05-02.tar.gz", "checksum": "7d5cc41357ae11069379f9c1f7e65d18f928d3c1c3cf3eab83443c6abbb5270c" + }, + { + "built": "2024-12-22T01:33:51.320571326Z", + "version": 5, + "url": "https://threat-intel.deepfence.io/vulnerability-db/releases/download/threatintel-vuln-v5-2024-12-22_01-30-00/threatintel-vuln-v5-2024-12-22_01-30-00.tar.gz", + "checksum": "9da24a9ef684761b6cffbb812a5c132589fa1881fb383a76c8a2a829fb54e6be" } ] } From b034a54daa797d43b2b43830cc6c03297dd6cf10 Mon Sep 17 00:00:00 2001 From: "github-actions[bot]" Date: Sun, 22 Dec 2024 13:09:37 +0000 Subject: [PATCH 4/8] Update listing with threatintel-2024-12-22_13-05-01 --- docs/vulnerability_feeds/listing.json | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/docs/vulnerability_feeds/listing.json b/docs/vulnerability_feeds/listing.json index 7083dc0557..6dbdb5ec10 100644 --- a/docs/vulnerability_feeds/listing.json +++ b/docs/vulnerability_feeds/listing.json @@ -27,12 +27,6 @@ } ], "5": [ - { - "built": "2024-12-20T13:10:34.372973445Z", - "version": 5, - "url": "https://threat-intel.deepfence.io/vulnerability-db/releases/download/threatintel-vuln-v5-2024-12-20_13-06-31/threatintel-vuln-v5-2024-12-20_13-06-31.tar.gz", - "checksum": "f29901c028349b75f132dbf38ecb41dbb4cad8c8e10faac441caff6858461ba6" - }, { "built": "2024-12-21T01:33:39.889374654Z", "version": 5, @@ -50,6 +44,12 @@ "version": 5, "url": "https://threat-intel.deepfence.io/vulnerability-db/releases/download/threatintel-vuln-v5-2024-12-22_01-30-00/threatintel-vuln-v5-2024-12-22_01-30-00.tar.gz", "checksum": "9da24a9ef684761b6cffbb812a5c132589fa1881fb383a76c8a2a829fb54e6be" + }, + { + "built": "2024-12-22T13:08:52.343967295Z", + "version": 5, + "url": "https://threat-intel.deepfence.io/vulnerability-db/releases/download/threatintel-vuln-v5-2024-12-22_13-05-01/threatintel-vuln-v5-2024-12-22_13-05-01.tar.gz", + "checksum": "3a3c473a0b27829cce03e5b2887d83f3967f1f4dbf945112be9eb707bf33fab1" } ] } From c80f9f3fa6009f7d2d2501e5043ee3c91fa9ab6c Mon Sep 17 00:00:00 2001 From: "github-actions[bot]" Date: Mon, 23 Dec 2024 01:34:35 +0000 Subject: [PATCH 5/8] Update listing with threatintel-2024-12-23_01-29-58 --- docs/vulnerability_feeds/listing.json | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/docs/vulnerability_feeds/listing.json b/docs/vulnerability_feeds/listing.json index 6dbdb5ec10..b71bb9db41 100644 --- a/docs/vulnerability_feeds/listing.json +++ b/docs/vulnerability_feeds/listing.json @@ -27,12 +27,6 @@ } ], "5": [ - { - "built": "2024-12-21T01:33:39.889374654Z", - "version": 5, - "url": "https://threat-intel.deepfence.io/vulnerability-db/releases/download/threatintel-vuln-v5-2024-12-21_01-29-50/threatintel-vuln-v5-2024-12-21_01-29-50.tar.gz", - "checksum": "c216c2d4a3ddd46e236730ba3b5f2774bb0d39746bbb5870dc1a8d9f339ff6c7" - }, { "built": "2024-12-21T13:08:51.464117911Z", "version": 5, @@ -50,6 +44,12 @@ "version": 5, "url": "https://threat-intel.deepfence.io/vulnerability-db/releases/download/threatintel-vuln-v5-2024-12-22_13-05-01/threatintel-vuln-v5-2024-12-22_13-05-01.tar.gz", "checksum": "3a3c473a0b27829cce03e5b2887d83f3967f1f4dbf945112be9eb707bf33fab1" + }, + { + "built": "2024-12-23T01:33:49.55866399Z", + "version": 5, + "url": "https://threat-intel.deepfence.io/vulnerability-db/releases/download/threatintel-vuln-v5-2024-12-23_01-29-58/threatintel-vuln-v5-2024-12-23_01-29-58.tar.gz", + "checksum": "1388db9a0fb9646333d927e7ada5a68549116dde22f16e0d6330d7c5a11684eb" } ] } From 8df9bd0fc4c7f142f24da90bc88ffbeb01aadf13 Mon Sep 17 00:00:00 2001 From: "github-actions[bot]" Date: Mon, 23 Dec 2024 13:11:32 +0000 Subject: [PATCH 6/8] Update listing with threatintel-2024-12-23_13-06-54 --- docs/vulnerability_feeds/listing.json | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/docs/vulnerability_feeds/listing.json b/docs/vulnerability_feeds/listing.json index b71bb9db41..bfe99bc85a 100644 --- a/docs/vulnerability_feeds/listing.json +++ b/docs/vulnerability_feeds/listing.json @@ -27,12 +27,6 @@ } ], "5": [ - { - "built": "2024-12-21T13:08:51.464117911Z", - "version": 5, - "url": "https://threat-intel.deepfence.io/vulnerability-db/releases/download/threatintel-vuln-v5-2024-12-21_13-05-02/threatintel-vuln-v5-2024-12-21_13-05-02.tar.gz", - "checksum": "7d5cc41357ae11069379f9c1f7e65d18f928d3c1c3cf3eab83443c6abbb5270c" - }, { "built": "2024-12-22T01:33:51.320571326Z", "version": 5, @@ -50,6 +44,12 @@ "version": 5, "url": "https://threat-intel.deepfence.io/vulnerability-db/releases/download/threatintel-vuln-v5-2024-12-23_01-29-58/threatintel-vuln-v5-2024-12-23_01-29-58.tar.gz", "checksum": "1388db9a0fb9646333d927e7ada5a68549116dde22f16e0d6330d7c5a11684eb" + }, + { + "built": "2024-12-23T13:10:46.878575377Z", + "version": 5, + "url": "https://threat-intel.deepfence.io/vulnerability-db/releases/download/threatintel-vuln-v5-2024-12-23_13-06-54/threatintel-vuln-v5-2024-12-23_13-06-54.tar.gz", + "checksum": "3bd81a3dc26e4a37cf9eb628dc3975e12bb9488ab489a0582c3baf2d321f567b" } ] } From db2045403717318030ec3fbed25a2042e965d05f Mon Sep 17 00:00:00 2001 From: "github-actions[bot]" Date: Tue, 24 Dec 2024 01:34:29 +0000 Subject: [PATCH 7/8] Update listing with threatintel-2024-12-24_01-29-54 --- docs/vulnerability_feeds/listing.json | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/docs/vulnerability_feeds/listing.json b/docs/vulnerability_feeds/listing.json index bfe99bc85a..3864eddea1 100644 --- a/docs/vulnerability_feeds/listing.json +++ b/docs/vulnerability_feeds/listing.json @@ -27,12 +27,6 @@ } ], "5": [ - { - "built": "2024-12-22T01:33:51.320571326Z", - "version": 5, - "url": "https://threat-intel.deepfence.io/vulnerability-db/releases/download/threatintel-vuln-v5-2024-12-22_01-30-00/threatintel-vuln-v5-2024-12-22_01-30-00.tar.gz", - "checksum": "9da24a9ef684761b6cffbb812a5c132589fa1881fb383a76c8a2a829fb54e6be" - }, { "built": "2024-12-22T13:08:52.343967295Z", "version": 5, @@ -50,6 +44,12 @@ "version": 5, "url": "https://threat-intel.deepfence.io/vulnerability-db/releases/download/threatintel-vuln-v5-2024-12-23_13-06-54/threatintel-vuln-v5-2024-12-23_13-06-54.tar.gz", "checksum": "3bd81a3dc26e4a37cf9eb628dc3975e12bb9488ab489a0582c3baf2d321f567b" + }, + { + "built": "2024-12-24T01:33:45.207102018Z", + "version": 5, + "url": "https://threat-intel.deepfence.io/vulnerability-db/releases/download/threatintel-vuln-v5-2024-12-24_01-29-54/threatintel-vuln-v5-2024-12-24_01-29-54.tar.gz", + "checksum": "9eb56b5080f8a21a6464df489fa0d0e42155b03951a343228d893b8f6ed5b167" } ] } From c00a8aff04c6baf403b1f93e76dabd295d858299 Mon Sep 17 00:00:00 2001 From: Ramanan Ravikumar <38394463+ramanan-ravi@users.noreply.github.com> Date: Tue, 24 Dec 2024 11:24:39 +0530 Subject: [PATCH 8/8] Update Jenkins example (#2401) --- ci-cd-integrations/jenkins/README.md | 69 ++++--------------- ...abilities_declarative_pipeline.Jenkinsfile | 40 +++++++++++ ...erabilities_scripted_pipeline.Jenkinsfile} | 0 3 files changed, 54 insertions(+), 55 deletions(-) create mode 100644 ci-cd-integrations/jenkins/vulnerabilities_declarative_pipeline.Jenkinsfile rename ci-cd-integrations/jenkins/{vulnerabilities.Jenkinsfile => vulnerabilities_scripted_pipeline.Jenkinsfile} (100%) diff --git a/ci-cd-integrations/jenkins/README.md b/ci-cd-integrations/jenkins/README.md index 1d8e7fcdfe..dce9c17277 100644 --- a/ci-cd-integrations/jenkins/README.md +++ b/ci-cd-integrations/jenkins/README.md @@ -1,58 +1,17 @@ -# Jenkins example for Deepfence Vulnerability Mapper +# Jenkins example -This project demonstrates using Deepfence Vulnerability Mapper in Jenkins build pipeline. -After customer's image is built, Deepfence Vulnerability Mapper is run on the image and results are sent to Deepfence management console for further analysis. -There is also an option to fail the build in case number of vulnerabilities crosses given limit. +### Vulnerability Scan -| Variable | Description | -|-------------------------------------|------------------------------------------------------------------------------------------------------------------------------------------| -| def deepfence_mgmt_console_url = '' | Deepfence management console url | -| def deepfence_key = "" | API key can be found on settings page of the deepfence | -| def fail_cve_count = 100 | Fail jenkins build if number of vulnerabilities found is >= this number. Set -1 to pass regardless of vulnerabilities. | -| def fail_critical_cve_count = 1 | Fail jenkins build if number of critical vulnerabilities found is >= this number. Set -1 to pass regardless of critical vulnerabilities. | -| def fail_high_cve_count = 5 | Fail jenkins build if number of high vulnerabilities found is >= this number. Set -1 to pass regardless of high vulnerabilities. | -| def fail_medium_cve_count = 10 | Fail jenkins build if number of medium vulnerabilities found is >= this number. Set -1 to pass regardless of medium vulnerabilities. | -| def fail_low_cve_count = 20 | Fail jenkins build if number of low vulnerabilities found is >= this number. Set -1 to pass regardless of low vulnerabilities. | -| def fail_cve_score = 8 | Fail jenkins build if cumulative CVE score is >= this value. Set -1 to pass regardless of cve score. | -| def mask_cve_ids = "" | Comma separated. Example: "CVE-2019-9168,CVE-2019-9169" | -| def deepfence_license = "" | ThreatMapper or ThreatStryker | -| def deepfence_product = "" | ThreatMapper or ThreatStryker license key | +Please refer the following files +- vulnerabilities_scripted_pipeline.Jenkinsfile +- vulnerabilities_declarative_pipeline.Jenkinsfile -## Steps -- Ensure `quay.io/deepfenceio/deepfence_package_scanner_cli:2.5.2` image is present in the vm where jenkins is installed. -```shell script -docker pull quay.io/deepfenceio/deepfence_package_scanner_cli:2.5.2 -``` -### Scripted Pipeline -``` -stage('Run Deepfence Vulnerability Mapper'){ - DeepfenceAgent = docker.image("quay.io/deepfenceio/deepfence_package_scanner_cli:2.5.2") - try { - c = DeepfenceAgent.run("-it --net=host -v /var/run/docker.sock:/var/run/docker.sock", "-deepfence-key=${deepfence_key} -vulnerability-scan=true -output=table -mode=local -mgmt-console-url=${deepfence_mgmt_console_url} -source=${full_image_name} -fail-on-count=${fail_cve_count} -fail-on-critical-count=${fail_critical_cve_count} -fail-on-high-count=${fail_high_cve_count} -fail-on-medium-count=${fail_medium_cve_count} -fail-on-low-count=${fail_low_cve_count} -fail-on-score=${fail_cve_score} -mask-cve-ids='${mask_cve_ids}'") - sh "docker logs -f ${c.id}" - def out = sh script: "docker inspect ${c.id} --format='{{.State.ExitCode}}'", returnStdout: true - sh "exit ${out}" - } finally { - c.stop() - } -} -``` -### Declarative Pipeline -``` -stage('Run Deepfence Vulnerability Mapper'){ - steps { - script { - DeepfenceAgent = docker.image("quay.io/deepfenceio/deepfence_package_scanner_cli:2.5.2") - try { - c = DeepfenceAgent.run("-it --net=host -v /var/run/docker.sock:/var/run/docker.sock", "-deepfence-key=${deepfence_key} -vulnerability-scan=true -output=table -mode=local -mgmt-console-url=${deepfence_mgmt_console_url} -source=${full_image_name} -fail-on-count=${fail_cve_count} -fail-on-critical-count=${fail_critical_cve_count} -fail-on-high-count=${fail_high_cve_count} -fail-on-medium-count=${fail_medium_cve_count} -fail-on-low-count=${fail_low_cve_count} -fail-on-score=${fail_cve_score} -mask-cve-ids='${mask_cve_ids}'") - sh "docker logs -f ${c.id}" - def out = sh script: "docker inspect ${c.id} --format='{{.State.ExitCode}}'", returnStdout: true - sh "exit ${out}" - } finally { - c.stop() - } - } - } -} -``` -- Set `deepfence_mgmt_console_url`, `fail_cve_count` variables in Jenkinsfile +### Secret Scan + +Please refer the following file +- secrets.Jenkinsfile + +### Malware Scan + +Please refer the following file +- malwares.Jenkinsfile \ No newline at end of file diff --git a/ci-cd-integrations/jenkins/vulnerabilities_declarative_pipeline.Jenkinsfile b/ci-cd-integrations/jenkins/vulnerabilities_declarative_pipeline.Jenkinsfile new file mode 100644 index 0000000000..3af3d1c843 --- /dev/null +++ b/ci-cd-integrations/jenkins/vulnerabilities_declarative_pipeline.Jenkinsfile @@ -0,0 +1,40 @@ +node { + def app + def full_image_name = 'deepfenceio/jenkins-example:latest' + def deepfence_mgmt_console_url = '127.0.0.1' // URL address of Deepfence management console Note - Please do not mention port + def fail_cve_count = 100 // Fail jenkins build if number of vulnerabilities found is >= this number. Set -1 to pass regardless of vulnerabilities. + def fail_critical_cve_count = 1 // Fail jenkins build if number of critical vulnerabilities found is >= this number. Set -1 to pass regardless of critical vulnerabilities. + def fail_high_cve_count = 5 // Fail jenkins build if number of high vulnerabilities found is >= this number. Set -1 to pass regardless of high vulnerabilities. + def fail_medium_cve_count = 10 // Fail jenkins build if number of medium vulnerabilities found is >= this number. Set -1 to pass regardless of medium vulnerabilities. + def fail_low_cve_count = 20 // Fail jenkins build if number of low vulnerabilities found is >= this number. Set -1 to pass regardless of low vulnerabilities. + def fail_cve_score = 8 // Fail jenkins build if cumulative CVE score is >= this value. Set -1 to pass regardless of cve score. + def mask_cve_ids = "" // Comma separated. Example: "CVE-2019-9168,CVE-2019-9169" + def deepfence_key = "" // API key can be found on settings page of the deepfence + def deepfence_license = "" // ThreatMapper or ThreatStryker + def deepfence_product = "" // ThreatMapper or ThreatStryker license key + + stage('Clone repository') { + checkout scm + } + + stage('Build image') { + app = docker.build("${full_image_name}", "-f ci-cd-integrations/jenkins/Dockerfile .") + } + + stage('Run Deepfence Vulnerability Mapper'){ + steps { + script { + DeepfenceAgent = docker.image("quay.io/deepfenceio/deepfence_package_scanner_cli:2.5.2") + try { + c = DeepfenceAgent.run("-it --net=host --privileged -v /var/run/docker.sock:/var/run/docker.sock:rw", "-deepfence-key=${deepfence_key} -console-url=${deepfence_mgmt_console_url} -product=${deepfence_product} -license=${deepfence_license} -source=${full_image_name} -fail-on-count=${fail_cve_count} -fail-on-critical-count=${fail_critical_cve_count} -fail-on-high-count=${fail_high_cve_count} -fail-on-medium-count=${fail_medium_cve_count} -fail-on-low-count=${fail_low_cve_count} -fail-on-score=${fail_cve_score} -mask-cve-ids='${mask_cve_ids}'") + sh "docker logs -f ${c.id}" + def out = sh script: "docker inspect ${c.id} --format='{{.State.ExitCode}}'", returnStdout: true + sh "exit ${out}" + } finally { + c.stop() + } + } + } + } + +} \ No newline at end of file diff --git a/ci-cd-integrations/jenkins/vulnerabilities.Jenkinsfile b/ci-cd-integrations/jenkins/vulnerabilities_scripted_pipeline.Jenkinsfile similarity index 100% rename from ci-cd-integrations/jenkins/vulnerabilities.Jenkinsfile rename to ci-cd-integrations/jenkins/vulnerabilities_scripted_pipeline.Jenkinsfile